floxif | 3f3f34f2e808d7064a6db8b377974a4efb19eaf0218081ad84169a738aa92f54

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 21:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Size

3.3MB
MD5

251ca9918b204b5b04a059150481d9dd
SHA1

c6c2fa3f7827ac66067af68ba8f2ce29160b8dc4
SHA256

3f3f34f2e808d7064a6db8b377974a4efb19eaf0218081ad84169a738aa92f54
SHA512

a74ec7db35fa7367fb90f3330463cb19dc60c9c42c1bc9d4d554c4658653d48a9fb12f43806ff0c65d651d24ac755ac21a5ca483f8dc65c03bb73c8075603816
SSDEEP

49152:hAtaLZd5KAxBxFNPBN3N+rwItb9Lg2ZPV/yiwbRoNrA:hAoLZd5KAxXFNZN3NUwItb9LNPV/yus

Score

10^/10

floxif adware backdoor discovery evasion persistence stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000c00000001226d-1.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c00000001226d-1.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe /onboot"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c00000001226d-1.dat	upx
behavioral1/memory/2112-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2112-223-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2112-216-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2112-730-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2112-733-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2112-736-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2112-739-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2112-746-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
File created	C:\Program Files (x86)\Internet Explorer\IEShims.dll.tmp	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll.dat	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bc216ca110835149aaffab2df7f0646d000000000200000000001066000000010000200000000fc0bc26a6087dd065bcaaa5dc80a066c23a21f599b99a7f4a3db811e775dfc8000000000e80000000020000200000002862c7cf997704293546b0e835971a070dd8c947a541c1cb9d07a77eebb92b4790000000a572d6f5be8f0384cc98b9df23bb35f48af1a983716a4e959515c45365f05398d209519d00e85e72ffc14a3da6e0e35bead9afc3a935cf5c97ec956858665e5a05ec832f314a8e89a1fa1bae23bd82001fd5b35eac5054d3b97a16374e0988a42ed28f42598bc3613b5173898ca3bb94f63956304ae8ed19d4b907879afde716deeaf5299d62f78d7f6c15b175d6399f40000000f1089798793869b2bfce50bd996475aa41a2caeb92c042de2e39cf5647c67efacc264a078a08aae2bc3abf0955a429f3ec008ed7855da5d8d782cb8b0bd0bd1a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441928969"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CAB534A1-C887-11EF-B81F-6A951C293183} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEGetAll.htm"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bc216ca110835149aaffab2df7f0646d000000000200000000001066000000010000200000002f3d417366cf56015af4b9eaafefd0ffa0284475dd0ac7563e385ebc8929e815000000000e80000000020000200000001d845195c7ab10b0d915cd2f9d306d6294d5e06e65b9d3ed7928d4636c17f3c92000000002be8cdfb8970923888d7d46d670d4f28de40138c191090d5ffc68d4da567f9740000000f652c6b344caa07bb667b9a9a1c738c5936b7e01cd50cd029123f079980981fd215bd402e79eac3ca5b450d7261780edf2218048b549f721199c5cae71a9ba77	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60eaf0a0945cdb01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\http\	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\https\	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Therad = "1"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Model = "0"	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\ftp\	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Wow6432Node\CLSID	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
Token: SeRestorePrivilege	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
2884	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
2884	iexplore.exe
2884	iexplore.exe
2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2884	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	31
PID 2112 wrote to memory of 2884	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	31
PID 2112 wrote to memory of 2884	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	31
PID 2112 wrote to memory of 2884	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	31
PID 2884 wrote to memory of 2704	2884	iexplore.exe	32
PID 2884 wrote to memory of 2704	2884	iexplore.exe	32
PID 2884 wrote to memory of 2704	2884	iexplore.exe	32
PID 2884 wrote to memory of 2704	2884	iexplore.exe	32
PID 2112 wrote to memory of 3016	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	33
PID 2112 wrote to memory of 3016	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	33
PID 2112 wrote to memory of 3016	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	33
PID 2112 wrote to memory of 3016	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	33
PID 2112 wrote to memory of 3016	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	33
PID 2112 wrote to memory of 3016	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	33
PID 2112 wrote to memory of 3016	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	33
PID 2112 wrote to memory of 2892	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	34
PID 2112 wrote to memory of 2892	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	34
PID 2112 wrote to memory of 2892	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	34
PID 2112 wrote to memory of 2892	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	34
PID 2112 wrote to memory of 2892	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	34
PID 2112 wrote to memory of 2892	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	34
PID 2112 wrote to memory of 2892	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	34
PID 2112 wrote to memory of 2780	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	35
PID 2112 wrote to memory of 2780	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	35
PID 2112 wrote to memory of 2780	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	35
PID 2112 wrote to memory of 2780	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	35
PID 2112 wrote to memory of 2780	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	35
PID 2112 wrote to memory of 2780	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	35
PID 2112 wrote to memory of 2780	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	35
PID 2112 wrote to memory of 2844	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	36
PID 2112 wrote to memory of 2844	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	36
PID 2112 wrote to memory of 2844	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	36
PID 2112 wrote to memory of 2844	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	36
PID 2112 wrote to memory of 2844	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	36
PID 2112 wrote to memory of 2844	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	36
PID 2112 wrote to memory of 2844	2112	2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe	36

C:\Users\Admin\AppData\Local\Temp\2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-01_251ca9918b204b5b04a059150481d9dd_floxif_icedid.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.internetdownloadmanager.com/welcome.html?v=607b8
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2884 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2704
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4a4f534ff78282bc1b9fc23b8151ea0

SHA1
9be3dd95ce12d58f1c1a9185eb030ef878fe61fe

SHA256
c89d15d62500d825ca6bef817f9375d72556a427ac8624343b0ba6fe3cf51edc

SHA512
a1c831558399cd3fd796610c91849f13ca713d9502d2743863f84648bcc556b39a0975bbdb2c1256f1aff103743499d9db8d640a3419f83e2ea81809cf0e5212

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8674cc86d802c19d3072dc0316f6d447

SHA1
ef5e400e4e8c671b8593810134395dad8008bcca

SHA256
76583b8047906a788fd13805622044d497ddd7c1d9579a0b46e4a8dcd590c904

SHA512
a3639ccd932cd473070f05d2cbbcacc420ec119c68b252c0bcfe0145880f2c8478b7163efa8deca9e26b0dd78af937e27fb8451462aaf3de4682a4aa8beacb80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54d976a5912268eb4aa04ae3e0f5f15e

SHA1
c7fa583491fd12496ef96261756133f416e48a3b

SHA256
db38f44d416ad3fefed40dcd1ed46692e528a9a1bc6e7c1226781421e2f7bb06

SHA512
5d8cb99f692539d1d4722feb0b371f78af784df92ae104ac77116067932eb1df5cbc6b552a9fc140af0feb71f074d8be8f6adcfaa9abe9c2eab9f5ca67506903

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56a4b8a83cc028376b967b478edbae2e

SHA1
44dc210f6bedd8c09e046a6d8b2865791aaf003b

SHA256
3743fdd132b2e97ba248cf90ab8bcd54d02811d113f16d7856c18c22d503a54d

SHA512
d3deaf4f9f89c7b609bf86a10b55d5dfe84f2f6d0a926994eafe9a98cad0ebd20d56caaec57f06e9e11e4f203b2357857c310d9f416b0b2006468e25d4030b60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
857fa4e5040135b4df0b7373dfe29e5f

SHA1
c5a2e1e9cf61e3b625bcedc0e3ec7ef103f3988a

SHA256
5b5a07457b826308a2b5664b019a6b9ac987efc4edb00278506c89b4a9d5255b

SHA512
91fc825521e70a55671b39746804db93e78be88318fbdbf6819a269ce4c9362e72dafd424b5320b447c9831475d03cfd3c608139e9e6e5f5882a3c4327ba26ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
681af8343769082c6ba14279d394304a

SHA1
b48f5365500fbc6a58799fc7f0f2c87d60ba9d09

SHA256
82bc084b7c110849ef9856b61e6e11aaf29ea645509f03507b152bd525e9e4d8

SHA512
5ae81980831d8fd1bb39fcb71e56453c289bdceeaeae7e7fa0bd25ceaa9f2d11ab0c2d7b912f965fcdf2aac0034871d4bca76177a026e4292ab94f659922af1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10c65073301d75f0991b05dfdd0f81de

SHA1
9d31e8cf100550358b825878981caad0b23786c9

SHA256
b655e308e46d5b738d8797d5a956c1dd85a58909da498cbf28bc5df0f118bec4

SHA512
bdd87b5b5bd62706fcb9585cb84bad7e5a0d3ea0a232210e92fe2df83c6013c573c7d832fa811a365a7e930c59a04b6f8b5241103d0a617ba0d579dc10267e55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cf770e074f8439920cb437f024c260c

SHA1
083e1415408f4b9e950a604d12c9b6d182ec5a03

SHA256
397c5af53b96011100243cd4b59dcf32e6f6c85938997537bd8c56d39b8c644b

SHA512
4a951cd603f9d57ca5856a0a3b0c0cd61dfb696eb7c43852503bc6ce6b1dd1f7e81fefef3a91795d0991f77264a479e3a9dc0313a0477b53f2f3127f91e1e87b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28f7973d09207e3e12ad8f69964a8648

SHA1
e62e94c133ffd417cf5202b77ad73aa99dd65717

SHA256
659c634f7e150e59f19b4bbc728f593ff235ee2650be8e4a4858e616bf29dd9d

SHA512
366b31b119fe8ba798c011b635a3f3c82f96fad57c0764730c0688372cce63afcfb78d152a15d10b9c2d594cd4323921ebd64a9bcc4837a73e74d41783cdbed1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e4a9cfb78abcac36260f9500ec5ff8d

SHA1
fdb646820cb81a037eae174f4e818074e71f1624

SHA256
eecdeab0959f231f5404712fa93302033229c168a274e224def7b1e664020e15

SHA512
0815f3aa5e0840884bc5c19b566065864391fddf9ae59705ed39f79c8577e838cbc4851d50eb3addd8b5655bc6ed10f465d26b6e554c8d714b847399d9c2edab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
364bdd007318eccf8cdb5b05dbebde2a

SHA1
e704dbd6f4814774261bdf66f47de4002afef8fa

SHA256
a797353433f1ccf3020c67d09b385a0fc0b9d3c613a1524f60c978b11374e436

SHA512
944e20e4bdaad81e71c10a6810da3445b66906571083ff3d5eaab286e8383e38d7384510f95b7378beba5d68f96db4e7ee5cdf8fb8c3606157e999867b9f7f16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25dff62a977bb5512c7c4d325af97fae

SHA1
733bbf5ac8b4bab7b9a4d8d2025c8b35809d6292

SHA256
c55a40c31b22a28458ba29116778747f9e5e32e629620c78377e45e894373a34

SHA512
3934bcc0d3a0b236a3c893cf38222b74a7f2f31e7a198e1a7e66544db6cb490bd3d743074ec2b1fdb7fb98378df230171e55b66155c474a9d8f8333cbc744274

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fedef116c9e5931b8ae12fdb025653d6

SHA1
c9a41543fb4e7e9bcb85c61087aac9ed9727a24d

SHA256
2bcce684075bf7bd923abab4510f2acef9abf2c75dac98c6d8ac844785f8a5cc

SHA512
f3f8881905106365feeb19eb5cc52e9d680d3f9aed6be18bafc195fe0f6f9ebea1df023f4984ed8bb26226c0e5a7088034651d909c27b539af99b6769e3ca7bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31053b85dd653e5f75cbbd038e59abbf

SHA1
ee1c3ac36aa6ca789d8d30bdec174251f2fed29a

SHA256
0ae060f4a05b852db344c6451f8f3600e24d95ae070fabff472e465f02faed3b

SHA512
98c0ed333585af7e350539997e12ae97b687829153bd6c66ea338e2cf48b116f1abcd0d5eb192e62e743517994687bf7f2965e034b0e7d8a3d384874e4f1b2ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ac2bebe2e922e0367afa545dd41e36a

SHA1
f9d288dbd084b1bbdbc2d5a43eb9683c825ba0c7

SHA256
5cef459bc92ab028453251002d414634486c37a198d8c4fbc76981ba50e4f1d5

SHA512
6d434177a63d99d6aaf27f7ca4f1b38ecf609f9f1e98a31d8b9bfa752a0f99220dee2a4fdb03aa68cc6a1dfaeb9b7737eabb3244d1c739b0269622ae2f852d61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e97356048990b0026e74c7e22cccf2d

SHA1
9eb5413d97950cf013430213549e3407676f174c

SHA256
d60672695c52cffed5d6e7e83a1ea4857df5205a4ae6988e28e58318458cb66f

SHA512
6c5d8de8d5ccaf713fa21d5b427df366c47a801974def7b8e0baf09d8b02b234af472bf037522dcce6a3780fbb4397617ca0c98c1b06cc4a8cb9b94e59c0f361

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6d587b3b2fee6c4af26aeb0b5384fee

SHA1
6d72cb4e8043bd0569688d1a26faef577b3f69c5

SHA256
cbc285092c85f63c0a9f595930fdbfe0f1cc5aa87e3b15666b2050539994545f

SHA512
9c62beede16c532f147a2ef1298f5f6e25768f2da32b9581647d8b8e1ad0b2a7af39820c4329e8af914547521bcebc5e44b0b70b9d5ba8d690dc59fee5015b9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c68424a39a076a2ee936c800093cc5d3

SHA1
15b18e404f978bbcddb88e0e6a422bf86623874b

SHA256
1d505dfe74d6acdddcaf7128c968c54c7288f7174f82115bd75e9c9593f0df8d

SHA512
12d0b7c8a4656fd6da5f4edff4fde55cd2be0fc684e8975d7d110ce27290e09a1ea371e44bb295494b6b883fd44aa959de212811bc3e8251c2a2fccf6dfa694c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42cd9ed6fce069b6dcd255bbf7651fed

SHA1
3db0cb0fe41b3229d0664936dac736864f6bef6d

SHA256
320c47e3dd9d4955830137b2bd12cd952432d72f75a029a830b79e52e276ae9e

SHA512
2616686492d9630a88a599ede92df59b7e69c450f8e15165783efbbf78bdb6d5f1021fc3afdd8ebdc6c8abbd91d455fafc5a5a72ca7d9ab1cc2784c1779febbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbc5c62924ff237a05b084ce1bc4ef3a

SHA1
c6c95947997496b5863a21aafdb290398725b9e6

SHA256
2dc67f26f0da8214f73b5125ee4199a6d4bb67c6ba74c9f1397d82b015a3f70a

SHA512
3adf7452aabdcf65ae94ab0138bef98e7f3e49fedf222a0714dfa892b5df90534c638aaa7e4176f7d9a54fc8279bac74490cc9879d2e1dce0e3c9119c55ac77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCC56.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCC97.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\update607_1\update607_1.log

Filesize
241B

MD5
727edbf45fc47c658c5ebf8c1d157ba1

SHA1
3258ca53e334eda85701903067a43eda236d70ad

SHA256
48d70c0fe0691379b21801bc3df993603f19ff2f90063cd66051aa89e6ec6249

SHA512
6af3b5d44b0a807ad1b5eb3145a6d4383aebad271d74672fa8d3fc41bf6be8ccdb976ad35db1bc9dfd62b6cd44688bd41650cf34cb4f1fb8866f162785594b9e

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\update607_1\update607_1.log

Filesize
877B

MD5
98304952378c53dc67836625a269ea1b

SHA1
3e6b8d908e93d06450d329d219fcfc68fce61cf5

SHA256
971e494cde3f5e9cd545e674e73c6b8e7ebd5fd12425e2054f0f6fa93aaa5a48

SHA512
d0195fae85e3aee8df0e8daf1e7c328537af52ab1e89c919ad173e1959ca123ab53bd6eec8e8d70990c75f4c9c0346d9ada33ae5004115104b723d2a148c0e67

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\update607_1\update607_1.log

Filesize
1KB

MD5
b6674a83f55f780dfcd8f37362d093ff

SHA1
db5bd90022dce01e6bede25086cc20d266866f52

SHA256
f1ca1bd0977aafecc145df09c521dec82994095862b8e4be232ef338a391c98c

SHA512
44eac0de6a0e14b54dfdf52472feb84a88b28dcd224eaf31b1a31e433aa1459a88d6014ae590c248d3d55f8146f5a3eb5a4fc6ac0fba05be1e0f87220f149a87

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\update607_1\update607_1.log

Filesize
1KB

MD5
5908f9f28a0cf967c203ea9ed62f0997

SHA1
f15731cd92a26dba535809e2dc161899935ebfc7

SHA256
20d896999c66b075287cceab228d37fad73bf92a4b6f8ca2d6396ed7c48270d4

SHA512
98bc1db8fdb779c8306a687c4e7fba6c1046d3ff7a9cfa554f799566720558f99e3756f153e15fdb8010803afff7c33852de5d5841483199bed588ffcaaa2dc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\200VJMKD.txt

Filesize
103B

MD5
78941a152ccadf01449571bdb2d960ed

SHA1
24467b6bb28e59bcf5209abe2744845184e852c2

SHA256
ef4c322f8b340dfbc551e46a3f89b62e34cc651ac855b42d587f5af953328107

SHA512
ce3990020b7b8bea01f5a5d6572af1c0ce5b74672bd7d4465d757fdfe719a7f44ab4c60d42fc56d41818106db23ce5b8c8ad70ba922ab8b3b7d77a9e60eddf22

Download Submit
\Program Files (x86)\Internet Explorer\IEShims.dll.tmp

Filesize
313KB

MD5
3ea6a574a4fbcc55c47760beb01f8846

SHA1
47af2594eb122f125c1b3563e163fc3999e3561b

SHA256
bfcb9b6f8525cdbdc9f35c830ae879b962753d0d9f5f99344653313b2c937faa

SHA512
d09eea2e1de57c974a18d84ebceab4256fa91aaf6429711651c1f354b854405e437c0842b84b9f50024786cea098532831ae881b201e322e6dc1912ac09f1c1e

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Users\Admin\AppData\Local\Temp\A1D26E2\C7E16A4840.tmp

Filesize
3.3MB

MD5
cf64e84bbafeb46043c61e71384bc129

SHA1
dbd47af142d2cb18c2380f561224015f959a68fe

SHA256
8405387038c569fcfdcecbfcd3862629dd2893ca84b82793acec01fb14c16419

SHA512
f075f8850e39b9a5dca4cff12e65d744c124246b3817761d81816db93f9726915641a96cd3b3cb408e80f7f3a52e2676ec9a6e9394f43db2b4e8907418a252fa

Download Submit
memory/2112-736-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-739-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-733-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-730-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-216-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-223-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-746-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2112-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download